Cover and Decomposition Index Calculus on Elliptic Curves made - - PowerPoint PPT Presentation

Cover and Decomposition Index Calculus on Elliptic Curves made practical

Application to a previously unreachable curve over Fp6 Vanessa VITSE – Antoine JOUX

Universit´ e de Versailles Saint-Quentin, Laboratoire PRISM

Eurocrypt 2012

Vanessa VITSE (UVSQ) Cover and decomposition index calculus 16 avril 2012 1 / 21

Known attacks of the ECDLP

Section 1 Known attacks of the ECDLP

Vanessa VITSE (UVSQ) Cover and decomposition index calculus 16 avril 2012 2 / 21

Known attacks of the ECDLP Generalities on the DLP

Discrete logarithm problem

Discrete logarithm problem (DLP)

Given a group G and g, h ∈ G, find – when it exists – an integer x s.t. h = gx

Vanessa VITSE (UVSQ) Cover and decomposition index calculus 16 avril 2012 3 / 21

Known attacks of the ECDLP Generalities on the DLP

Discrete logarithm problem

Discrete logarithm problem (DLP)

Given a group G and g, h ∈ G, find – when it exists – an integer x s.t. h = gx Difficulty is related to the group:

1 Generic attacks: complexity in Ω(max(αi√pi)) if #G =

i pαi i

2 G ⊂ (F∗

q, ×): index calculus method with complexity in Lq(1/3)

where Lq(α) = exp(c(log q)α(log log q)1−α).

3 G ⊂ (JacC(Fq), +): index calculus method better than generic

attacks (if g > 2)

Vanessa VITSE (UVSQ) Cover and decomposition index calculus 16 avril 2012 3 / 21

Known attacks of the ECDLP Generalities on the DLP

The discrete logarithm problem on elliptic curves

Use the group of points of an elliptic curve defined over a finite field (EC)DLP: given P, Q ∈ G, find (if it exists) x st Q = [x]P The group law is a good compromise between simplicity and intricacy P• Q

• −(P + Q)•

P + Q •

Vanessa VITSE (UVSQ) Cover and decomposition index calculus 16 avril 2012 4 / 21

Known attacks of the ECDLP Generalities on the DLP

The discrete logarithm problem on elliptic curves

Use the group of points of an elliptic curve defined over a finite field (EC)DLP: given P, Q ∈ G, find (if it exists) x st Q = [x]P The group law is a good compromise between simplicity and intricacy P• Q

• −(P + Q)•

P + Q • Choice of the field: Prime field Fp = Z/pZ: good security but modular arithmetic difficult to implement in hardware Extension field Fpn: interesting when p = 2

• r p fits into a computer word

Vanessa VITSE (UVSQ) Cover and decomposition index calculus 16 avril 2012 4 / 21

Known attacks of the ECDLP Generalities on the DLP

The discrete logarithm problem on elliptic curves

Use the group of points of an elliptic curve defined over a finite field (EC)DLP: given P, Q ∈ G, find (if it exists) x st Q = [x]P The group law is a good compromise between simplicity and intricacy P• Q

• −(P + Q)•

P + Q • Choice of the field: Prime field Fp = Z/pZ: good security but modular arithmetic difficult to implement in hardware Extension field Fpn: interesting when p = 2

• r p fits into a computer word

Potentially vulnerable to index calculus

Vanessa VITSE (UVSQ) Cover and decomposition index calculus 16 avril 2012 4 / 21

Known attacks of the ECDLP Generalities on the DLP

Basic outline of index calculus methods

(additive notations)

1 Choice of a factor base: F = {g1, . . . , gN} ⊂ G 2 Relation search: decompose ai · g + bi · h (ai, bi random) into F

ai · g + bi · h =

N

• j=1

ci,j · gj

3 Linear algebra: once k independent relations found (k ≥ N) ◮ construct the matrices A =

• ai

bi

• 1≤i≤k and M = (ci,j) 1≤i≤k

1≤j≤N

◮ find v = (v1, . . . , vk) ∈ ker(tM) such that vA = 0 mod #G ◮ compute the solution of DLP: x = − (

i aivi) / ( i bivi) mod #G

Vanessa VITSE (UVSQ) Cover and decomposition index calculus 16 avril 2012 5 / 21

Known attacks of the ECDLP Generalities on the DLP

Index calculus

Two difficulties :

1 From a practical point of view : linear algebra often the most

delicate phase

◮ matrices are huge (several millions of unknowns) but very sparse

(only a few non-zero coeff. per row)

◮ difficult to distribute dedicated algorithms 2 From a theoretical point of view : how to find relations? ◮ on E(Fp), no known method ◮ on E(Fpn), two existing methods: ⋆ transfer to JacC(Fp) via Weil descent ⋆ direct decompositions (Gaudry/Diem) Vanessa VITSE (UVSQ) Cover and decomposition index calculus 16 avril 2012 6 / 21

Known attacks of the ECDLP Generalities on the DLP

Index calculus

Two difficulties :

1 From a practical point of view : linear algebra often the most

delicate phase

◮ matrices are huge (several millions of unknowns) but very sparse

(only a few non-zero coeff. per row)

◮ difficult to distribute dedicated algorithms 2 From a theoretical point of view : how to find relations? ◮ on E(Fp), no known method ◮ on E(Fpn), two existing methods: ⋆ transfer to JacC(Fp) via Weil descent ⋆ direct decompositions (Gaudry/Diem) Vanessa VITSE (UVSQ) Cover and decomposition index calculus 16 avril 2012 6 / 21

Known attacks of the ECDLP Weil descent and cover attacks

Transfer of the ECDLP via cover maps (Weil descent)

Let W = WFqn/Fq(E) be the Weil restriction of E|Fqn elliptic curve. Inclusion of a curve C|Fq ֒ → W induces a cover map π : C(Fqn) → E(Fqn).

Vanessa VITSE (UVSQ) Cover and decomposition index calculus 16 avril 2012 7 / 21

Known attacks of the ECDLP Weil descent and cover attacks

Transfer of the ECDLP via cover maps (Weil descent)

Let W = WFqn/Fq(E) be the Weil restriction of E|Fqn elliptic curve. Inclusion of a curve C|Fq ֒ → W induces a cover map π : C(Fqn) → E(Fqn).

1 transfer the DLP from P ⊂ E(Fqn) to JacC(Fq)

C(Fqn)

π

• JacC(Fqn)

Tr

JacC(Fq)

E(Fqn) JacE(Fqn) ≃ E(Fqn)

π∗

• g genus of C

s.t. g ≥ n

2 use index calculus on JacC(Fq):

→ efficient if C is hyperelliptic with small genus g [Gaudry] or has a small degree plane model [Diem]

Vanessa VITSE (UVSQ) Cover and decomposition index calculus 16 avril 2012 7 / 21

Known attacks of the ECDLP Weil descent and cover attacks

Transfer of the ECDLP via cover maps (Weil descent)

Let W = WFqn/Fq(E) be the Weil restriction of E|Fqn elliptic curve. Inclusion of a curve C|Fq ֒ → W induces a cover map π : C(Fqn) → E(Fqn).

1 transfer the DLP from P ⊂ E(Fqn) to JacC(Fq)

C(Fqn)

π

• JacC(Fqn)

Tr

JacC(Fq)

E(Fqn) JacE(Fqn) ≃ E(Fqn)

π∗

• g genus of C

s.t. g ≥ n

2 use index calculus on JacC(Fq):

→ efficient if C is hyperelliptic with small genus g [Gaudry] or has a small degree plane model [Diem]

Vanessa VITSE (UVSQ) Cover and decomposition index calculus 16 avril 2012 7 / 21

Known attacks of the ECDLP Weil descent and cover attacks

Transfer of the ECDLP via cover maps (Weil descent)

Let W = WFqn/Fq(E) be the Weil restriction of E|Fqn elliptic curve. Inclusion of a curve C|Fq ֒ → W induces a cover map π : C(Fqn) → E(Fqn).

1 transfer the DLP from P ⊂ E(Fqn) to JacC(Fq)

C(Fqn)

π

• JacC(Fqn)

Tr

JacC(Fq)

E(Fqn) JacE(Fqn) ≃ E(Fqn)

π∗

• g genus of C

s.t. g ≥ n

2 use index calculus on JacC(Fq):

→ efficient if C is hyperelliptic with small genus g [Gaudry] or has a small degree plane model [Diem] Main difficulty : find a convenient curve C with a genus small enough

Vanessa VITSE (UVSQ) Cover and decomposition index calculus 16 avril 2012 7 / 21

Known attacks of the ECDLP Weil descent and cover attacks

The GHS construction

Gaudry-Heß-Smart (binary fields), Diem (odd characteristic case)

Given an elliptic curve E|Fqn and a degree 2 map E → P1, construct a curve C|Fq and a cover map π : C → E.

Vanessa VITSE (UVSQ) Cover and decomposition index calculus 16 avril 2012 8 / 21

Known attacks of the ECDLP Weil descent and cover attacks

The GHS construction

Gaudry-Heß-Smart (binary fields), Diem (odd characteristic case)

Given an elliptic curve E|Fqn and a degree 2 map E → P1, construct a curve C|Fq and a cover map π : C → E. Problem: for most elliptic curves, g is of the order of 2n Index calculus on JacC(Fq) usually slower than generic methods on E(Fqn) Possibility of using isogenies from E to a vulnerable curve [Galbraith] → increase the number of vulnerable curves

Vanessa VITSE (UVSQ) Cover and decomposition index calculus 16 avril 2012 8 / 21

Known attacks of the ECDLP Decomposition attacks

Decomposition attack

Idea from Gaudry and Diem: no transfer, but apply directly index calculus

• n E(Fqn) (or JacH(Fqn))

Principle

Factor base: F = {DQ ∈ JacH(Fqn) : DQ ∼ (Q)−(OH), Q ∈ H(Fqn), x(Q) ∈ Fq} Decomposition of an arbitrary divisor D ∈ JacH(Fqn) into ng divisors

• f the factor base D ∼ ng

i=1 ((Qi) − (OH))

Asymptotic complexity in q2−2/ng as q → ∞

Vanessa VITSE (UVSQ) Cover and decomposition index calculus 16 avril 2012 9 / 21

Known attacks of the ECDLP Decomposition attacks

Decomposition attack

Idea from Gaudry and Diem: no transfer, but apply directly index calculus

• n E(Fqn) (or JacH(Fqn))

Principle

Factor base: F = {DQ ∈ JacH(Fqn) : DQ ∼ (Q)−(OH), Q ∈ H(Fqn), x(Q) ∈ Fq} Decomposition of an arbitrary divisor D ∈ JacH(Fqn) into ng divisors

• f the factor base D ∼ ng

i=1 ((Qi) − (OH))

Asymptotic complexity in q2−2/ng as q → ∞ all curves are equally weak under this attack decomposition is hard: need to solve polynomial systems

Vanessa VITSE (UVSQ) Cover and decomposition index calculus 16 avril 2012 9 / 21

Known attacks of the ECDLP Decomposition attacks

Nagao’s approach for decompositions

How to check if D = (u, v) can be decomposed ?

D +

ng

• i=1

((Qi) − (OH)) ∼ 0 ⇔ D +

ng

• i=1

((Qi) − (OH)) = div(f ) where f is in the Riemann-Roch space L (ng(OH) − D) Decomposition of D: resolution of a quadratic polynomial system over Fq n (n − 1)g variables

from scalar restriction of coord. of f in projectivized Riemann-Roch space

(n − 1) ng equations

expressing that elementary symmetric polynomials of the x(Qi) lie in Fq.

Vanessa VITSE (UVSQ) Cover and decomposition index calculus 16 avril 2012 10 / 21

Known attacks of the ECDLP Decomposition attacks

Analysis of Nagao’s approach

Solve a 0-dim quadratic polynomial system of (n − 1)ng eq./var. for each decomposition test → complexity at least polynomial in d = 2(n−1)ng → in practice, resolution only possible for n and g ≤ 3

• r g = 1 and n ≤ 5 (using Semaev’s summation polynomials)
• Proba. of decomposition is ≃ 1/(ng)! and the factor base has ≃ q

elements → about (ng)!q decomposition tests needed, even more for large prime variations Relation search too slow for practical DLP resolution

Vanessa VITSE (UVSQ) Cover and decomposition index calculus 16 avril 2012 11 / 21

A new index calculus method

Section 2 A new index calculus method

Vanessa VITSE (UVSQ) Cover and decomposition index calculus 16 avril 2012 12 / 21

A new index calculus method Decomposition attacks for hyperelliptic Jacobians

First ingredient: improved relation search for Jacobians

Using Nagao’s approach to obtain enough decompositions is too slow

Another type of relations

Instead of decompositions, compute relations involving only elements of F:

m

• i=1

((Qi) − (OH)) ∼ 0 Heuristically, expected number of such relations is ≃ qm−ng/m! → as ≃ q relations are needed, consider m = ng + 2

Vanessa VITSE (UVSQ) Cover and decomposition index calculus 16 avril 2012 13 / 21

A new index calculus method Decomposition attacks for hyperelliptic Jacobians

First ingredient: improved relation search for Jacobians

Using Nagao’s approach to obtain enough decompositions is too slow

Another type of relations

Instead of decompositions, compute relations involving only elements of F:

m

• i=1

((Qi) − (OH)) ∼ 0 Heuristically, expected number of such relations is ≃ qm−ng/m! → as ≃ q relations are needed, consider m = ng + 2 Similar type of relations considered in NFS, FFS and Diem’s index calculus for small degree plane curves

Vanessa VITSE (UVSQ) Cover and decomposition index calculus 16 avril 2012 13 / 21

A new index calculus method Decomposition attacks for hyperelliptic Jacobians

Modified index calculus

H hyperelliptic curve of genus g defined over Fqn, n ≥ 2 find relations of the form ng+2

i=1

((Qi) − (OH)) ∼ 0 linear algebra: deduce DL of factor base elements up to a constant descent phase: compute two Nagao-style decompositions to complete the DLP resolution With Nagao: about (ng)! q quadratic polynomial systems of n(n − 1)g eq./var. to solve With variant: only 1 under-determined quadratic system of n(n − 1)g + 2n − 2 eq. and n(n − 1)g + 2n var.

Vanessa VITSE (UVSQ) Cover and decomposition index calculus 16 avril 2012 14 / 21

A new index calculus method Decomposition attacks for hyperelliptic Jacobians

Modified index calculus

H hyperelliptic curve of genus g defined over Fqn, n ≥ 2 find relations of the form ng+2

i=1

((Qi) − (OH)) ∼ 0 linear algebra: deduce DL of factor base elements up to a constant descent phase: compute two Nagao-style decompositions to complete the DLP resolution With Nagao: about (ng)! q quadratic polynomial systems of n(n − 1)g eq./var. to solve With variant: only 1 under-determined quadratic system of n(n − 1)g + 2n − 2 eq. and n(n − 1)g + 2n var.

Vanessa VITSE (UVSQ) Cover and decomposition index calculus 16 avril 2012 14 / 21

A new index calculus method Decomposition attacks for hyperelliptic Jacobians

Modified index calculus

H hyperelliptic curve of genus g defined over Fqn, n ≥ 2 find relations of the form ng+2

i=1

((Qi) − (OH)) ∼ 0 linear algebra: deduce DL of factor base elements up to a constant descent phase: compute two Nagao-style decompositions to complete the DLP resolution With Nagao: about (ng)! q quadratic polynomial systems of n(n − 1)g eq./var. to solve With variant: only 1 under-determined quadratic system of n(n − 1)g + 2n − 2 eq. and n(n − 1)g + 2n var.

Fast resolution

Goal: find a new set of generators of the ideal s.t. each specialization of two variables yields an easy to solve system → lex Gr¨

• bner basis

Vanessa VITSE (UVSQ) Cover and decomposition index calculus 16 avril 2012 14 / 21

A new index calculus method Decomposition attacks for hyperelliptic Jacobians

A special case: quadratic extensions in odd characteristic

Key point: define Fq2 as Fq(t)/(t2 − ω)

Additional structure on the equations: polynomials obtained after restriction of scalars are multi-homogeneous of bidegree (1, 1) → variables of the first homogeneous block belong to a 1-dim. variety

Vanessa VITSE (UVSQ) Cover and decomposition index calculus 16 avril 2012 15 / 21

A new index calculus method Decomposition attacks for hyperelliptic Jacobians

A special case: quadratic extensions in odd characteristic

Key point: define Fq2 as Fq(t)/(t2 − ω)

Additional structure on the equations: polynomials obtained after restriction of scalars are multi-homogeneous of bidegree (1, 1) → variables of the first homogeneous block belong to a 1-dim. variety Decomposition method:

1 “specialization”: choose a value for the first variables 2 remaining variables lie in a one-dimensional vector space easy to

solve system Further improvement possible by using a sieving technique

Vanessa VITSE (UVSQ) Cover and decomposition index calculus 16 avril 2012 15 / 21

A new index calculus method Decomposition attacks for hyperelliptic Jacobians

A special case: quadratic extensions in odd characteristic

Key point: define Fq2 as Fq(t)/(t2 − ω)

Additional structure on the equations: polynomials obtained after restriction of scalars are multi-homogeneous of bidegree (1, 1) → variables of the first homogeneous block belong to a 1-dim. variety Decomposition method:

1 “specialization”: choose a value for the first variables 2 remaining variables lie in a one-dimensional vector space easy to

solve system Further improvement possible by using a sieving technique Much faster to compute decompositions with our variant → about 960 times faster for (n, g) = (2, 3) on a 150-bit curve

Vanessa VITSE (UVSQ) Cover and decomposition index calculus 16 avril 2012 15 / 21

A new index calculus method Decomposition attacks for hyperelliptic Jacobians

The sieving technique

Fact: solutions of the polynomial system only give the polynomial F(x) =

i(x − x(Qi)) ∈ Fq[x]

→ remains to test if it is split.

Vanessa VITSE (UVSQ) Cover and decomposition index calculus 16 avril 2012 16 / 21

A new index calculus method Decomposition attacks for hyperelliptic Jacobians

The sieving technique

Fact: solutions of the polynomial system only give the polynomial F(x) =

i(x − x(Qi)) ∈ Fq[x]

→ remains to test if it is split.

Sieving method: avoid the factorization of F

1 Specialize first block of variables and express all remaining variables

linearly in terms of one last unknown λ → F becomes a polynomial in Fq[x, λ] of deg. 2 in λ and 2g + 2 in x

2 Enumeration in x ∈ Fq instead of λ

→ corresponding values of λ are easier to compute

3 Possible to recover the values of λ for which there were degx F

associated values of x Time-memory trade-off: λ 1 2 · · · i · · · p − 1 #x x0 x1 x2 · · · xi · · · xp−1

Vanessa VITSE (UVSQ) Cover and decomposition index calculus 16 avril 2012 16 / 21

A new index calculus method Decomposition attacks for hyperelliptic Jacobians

The sieving technique

Fact: solutions of the polynomial system only give the polynomial F(x) =

i(x − x(Qi)) ∈ Fq[x]

→ remains to test if it is split.

Sieving method: avoid the factorization of F

1 Specialize first block of variables and express all remaining variables

linearly in terms of one last unknown λ → F becomes a polynomial in Fq[x, λ] of deg. 2 in λ and 2g + 2 in x

2 Enumeration in x ∈ Fq instead of λ

→ corresponding values of λ are easier to compute

3 Possible to recover the values of λ for which there were degx F

associated values of x Time-memory trade-off: λ 1 2 · · · i · · · p − 1 #x x0 x1 x2 · · · xi · · · xp−1 Adapted to large prime variations by sieving only on “small primes”

Vanessa VITSE (UVSQ) Cover and decomposition index calculus 16 avril 2012 16 / 21

A new index calculus method Cover and decomposition attack

Second ingredient: the combined attack

Let E(Fqn) elliptic curve such that GHS provides covering curves C with too large genus n is too large for a practical decomposition attack

Vanessa VITSE (UVSQ) Cover and decomposition index calculus 16 avril 2012 17 / 21

A new index calculus method Cover and decomposition attack

Second ingredient: the combined attack

Let E(Fqn) elliptic curve such that GHS provides covering curves C with too large genus n is too large for a practical decomposition attack

Cover and decomposition attack [Joux-V.]

If n composite, combine both approaches:

1 use GHS on the subextension Fqn/Fqd to transfer the DL to JacC(Fqd) 2 then use decomposition attack on JacC(Fqd) with base field Fq to

solve the DLP

Vanessa VITSE (UVSQ) Cover and decomposition index calculus 16 avril 2012 17 / 21

A new index calculus method Cover and decomposition attack

Second ingredient: the combined attack

Let E(Fqn) elliptic curve such that GHS provides covering curves C with too large genus n is too large for a practical decomposition attack

Cover and decomposition attack [Joux-V.]

If n composite, combine both approaches:

1 use GHS on the subextension Fqn/Fqd to transfer the DL to JacC(Fqd) 2 then use decomposition attack on JacC(Fqd) with base field Fq to

solve the DLP → well adapted for curves defined over some Optimal Extension Fields

Vanessa VITSE (UVSQ) Cover and decomposition index calculus 16 avril 2012 17 / 21

A new index calculus method Application to elliptic curves defined over Fq6

The sextic extension case

Extension degree n = 6 occurs for OEF; ideal target for this combined attack.

Most favorable case

E|Fq6 has a genus 3 hyperelliptic cover by H|Fq2 → occurs for Θ(q4) curves directly [Th´ eriault, Momose-Chao] → for most curves after an isogeny walk Otherwise, for curves defined over such extension fields: GHS yields cover C|Fq with genus g ≥ 9 and with equality for less than q3 curves index calculus on JacC(Fq) is slower direct decomposition attack fails to compute any relation

Vanessa VITSE (UVSQ) Cover and decomposition index calculus 16 avril 2012 18 / 21

A new index calculus method Application to elliptic curves defined over Fq6

The sextic extension case

Comparisons and complexity estimates for 160 bits based on Magma

p 27-bit prime, E(Fp6) elliptic curve with 160-bit prime order subgroup

1 Generic attacks: ˜

O(p3) cost, ≈ 5 × 1013 years

2 Former index calculus methods:

Decomposition GHS Fp6/Fp2

˜ O(p2) memory bottleneck

Fp6/Fp

intractable efficient for ≤ 1/p3 curves g = 9: ˜ O(p7/4), ≈ 1 500 years

3 Cover and decomposition:

˜ O(p5/3) cost using the hyperelliptic genus 3 cover defined over Fp2

◮ Nagao-style decomposition: ≈ 750 years ◮ Modified relation search: ≈ 300 years Vanessa VITSE (UVSQ) Cover and decomposition index calculus 16 avril 2012 19 / 21

A new index calculus method Application to elliptic curves defined over Fq6

The sextic extension case

Comparisons and complexity estimates for 160 bits based on Magma

p 27-bit prime, E(Fp6) elliptic curve with 160-bit prime order subgroup

1 Generic attacks: ˜

O(p3) cost, ≈ 5 × 1013 years

2 Former index calculus methods:

Decomposition GHS Fp6/Fp2

˜ O(p2) memory bottleneck

Fp6/Fp

intractable efficient for ≤ 1/p3 curves g = 9: ˜ O(p7/4), ≈ 1 500 years

3 Cover and decomposition:

˜ O(p5/3) cost using the hyperelliptic genus 3 cover defined over Fp2

◮ Nagao-style decomposition: ≈ 750 years ◮ Modified relation search: ≈ 300 years Vanessa VITSE (UVSQ) Cover and decomposition index calculus 16 avril 2012 19 / 21

A new index calculus method Application to elliptic curves defined over Fq6

The sextic extension case

Comparisons and complexity estimates for 160 bits based on Magma

p 27-bit prime, E(Fp6) elliptic curve with 160-bit prime order subgroup

1 Generic attacks: ˜

O(p3) cost, ≈ 5 × 1013 years

2 Former index calculus methods:

Decomposition GHS Fp6/Fp2

˜ O(p2) memory bottleneck

Fp6/Fp

intractable efficient for ≤ 1/p3 curves g = 9: ˜ O(p7/4), ≈ 1 500 years

3 Cover and decomposition:

˜ O(p5/3) cost using the hyperelliptic genus 3 cover defined over Fp2

◮ Nagao-style decomposition: ≈ 750 years ◮ Modified relation search: ≈ 300 years Vanessa VITSE (UVSQ) Cover and decomposition index calculus 16 avril 2012 19 / 21

A new index calculus method Application to elliptic curves defined over Fq6

The sextic extension case

Comparisons and complexity estimates for 160 bits based on Magma

p 27-bit prime, E(Fp6) elliptic curve with 160-bit prime order subgroup

1 Generic attacks: ˜

O(p3) cost, ≈ 5 × 1013 years

2 Former index calculus methods:

Decomposition GHS Fp6/Fp2

˜ O(p2) memory bottleneck

Fp6/Fp

intractable efficient for ≤ 1/p3 curves g = 9: ˜ O(p7/4), ≈ 1 500 years

3 Cover and decomposition:

˜ O(p5/3) cost using the hyperelliptic genus 3 cover defined over Fp2

◮ Nagao-style decomposition: ≈ 750 years ◮ Modified relation search: ≈ 300 years Vanessa VITSE (UVSQ) Cover and decomposition index calculus 16 avril 2012 19 / 21

A new index calculus method Application to elliptic curves defined over Fq6

A concrete attack on a 150-bit curve

E : y2 = x(x − α)(x − σ(α)) defined over Fp6 where p = 225 + 35, such that #E = 4 · 356814156285346166966901450449051336101786213 Previously unreachable curve: GHS gives cover over Fp of genus 33... Complete resolution of DLP in about 1 month with cover and decomposition, using genus 3 hyperelliptic cover H|Fp2

Vanessa VITSE (UVSQ) Cover and decomposition index calculus 16 avril 2012 20 / 21

A new index calculus method Application to elliptic curves defined over Fq6

A concrete attack on a 150-bit curve

E : y2 = x(x − α)(x − σ(α)) defined over Fp6 where p = 225 + 35, such that #E = 4 · 356814156285346166966901450449051336101786213 Previously unreachable curve: GHS gives cover over Fp of genus 33... Complete resolution of DLP in about 1 month with cover and decomposition, using genus 3 hyperelliptic cover H|Fp2

Relation search

lex GB: 2.7 sec with one core(1) sieving: p2/(2 · 8!) ≃ 1.4 × 1010 relations in 62 h on 1 024 cores(2) → 960× faster than Nagao

Linear algebra

SGE: 25.5 h on 32 cores(2) → fivefold reduction Lanczos: 28.5 days on 64 cores(2) (200 MB of data broadcast/round) (Descent phase done in ∼ 14 s for one point)

(1) Magma on 2.6 GHz Intel Core 2 Duo (2) 2.93 GHz quadri-core Intel Xeon 5550 Vanessa VITSE (UVSQ) Cover and decomposition index calculus 16 avril 2012 20 / 21

A new index calculus method Application to elliptic curves defined over Fq6

Scaling data for our implementation

Size of p log2 p ≈ 23 log2 p ≈ 24 log2 p ≈ 25 Group size 136 bits 142 bits 148 bits Sieving (CPU.hours) 3 600 15 400 63 500 Sieving (real time) 3.5 hours 15 hours 62 hours Matrix column nb 990 193 1 736 712 3 092 914 (SGE reduction) (4.2) (4.8) (5.4) Lanczos (CPU.hours) 4 900 16 000 43 800 Lanczos (real time) 77 hours 250 hours 28.5 days → approximately 200 CPU.years to break DLP over a 160-bit curve group

Vanessa VITSE (UVSQ) Cover and decomposition index calculus 16 avril 2012 21 / 21

Cover and Decomposition Index Calculus on Elliptic Curves made practical

Application to a previously unreachable curve over Fp6 Vanessa VITSE – Antoine JOUX

Universit´ e de Versailles Saint-Quentin, Laboratoire PRISM

Eurocrypt 2012

Vanessa VITSE (UVSQ) Cover and decomposition index calculus 16 avril 2012